Anuj Goel is CEO and co-founder of Cyware, a company focused on intelligence-led cybersecurity and operational resilience.
The enterprise cybersecurity stack has never been more capable. Endpoint detection is sophisticated and AI-driven. SIEM platforms ingest and correlate at scale. Cloud-native security tooling is built into the infrastructure itself. By almost every measure, the visibility organizations have into their own environments today is extraordinary compared to a decade ago.
And yet breaches continue, response times remain dangerously slow and security teams are overwhelmed. Understanding why requires an honest diagnosis. The issue shows up in how information is interpreted and acted on after detection, where most workflows break down.
The Layer That Sits Above Detection
An alert from an endpoint detection and response (EDR) platform tells us that something happened. A threat feed containing thousands of indicators of compromise (IOCs) tells us what others have observed. Neither tells us whether the activity is relevant to our environment, how it intersects with our asset exposure and known vulnerabilities, or whether it reflects the tactics of threat actors most likely to target our organization.
That gap between raw intelligence and actionable context is where security programs often break down. The issue shows up in how information is interpreted and acted on after detection, impacted by limitations of the infrastructure to produce the necessary context at scale.
Why Agentic AI Plays A Key Role
For many in the industry, the current response to this problem is agentic AI. The premise is that if AI can replicate a senior analyst’s reasoning—integrating data from multiple tools while judging attacker intent—the “context problem” is effectively solved. This requires the system to prioritize complex action sequences even under high uncertainty, but it is not quite that simple.
Agentic AI is only as good as the data it can reason over. An agent operating over siloed, stale, unenriched data does not produce senior analyst-level judgement. It produces faster versions of the same shallow decisions that rule-based automation was already making. The reasoning capability is real, but the substrate it requires does not yet exist at most organizations.
This gap between adoption and execution is showing up across enterprise AI efforts. Research from McKinsey shows that while AI adoption continues to increase, many organizations still struggle to translate it into consistent operational impact.
This dependency is often overlooked. Good agentic AI security outcomes require rich, structured and continuously updated context. That foundation is built on intelligence that is normalized, correlated and operationalized across internal and external sources.
Deploying agentic AI without solving the context layer first is not an acceleration. It is automation applied to an unsolved problem, which produces scale without accuracy and speed without confidence.
The Real-Time Collaboration Opportunity
There is a third dimension to this problem that receives even less attention than the context gap: the near-complete absence of organized threat intelligence sharing across organizational boundaries.
Adversaries, particularly sophisticated nation-state actors and organized ransomware groups, operate as coordinated networks. They share tooling, vulnerability intelligence and target intelligence continuously. Defenders share, but not in real time. When an organization detects and responds to a threat, that intelligence is almost never automatically shared with peer organizations in a form that allows those peers to act on it immediately, keeping humans in the loop.
The result is that every organization ends up solving threat detection problems that their peers already solved hours or days earlier. The same attack patterns are detected, triaged and responded to independently, potentially thousands of times across the ecosystem. The collective knowledge of the defensive community exists, but it doesn’t flow in real time across shared infrastructure.
A Stack For Combating Future Threats
If the enterprise cybersecurity stack were designed from scratch today knowing what AI can now do and where the actual bottlenecks are, I believe it would look very different. Here are the three requirements that I believe this new stack would need to include:
1. A normalized, continuously enriched intelligence layer that ingests both structured and unstructured signals from internal tools and external sources, correlates them against specific environmental context and produces confidence-scored, prioritized and explainable outputs.
2. A collaboration infrastructure allowing that intelligence to flow across organizational boundaries in near real time with appropriate governance controls, while keeping humans informed about every decision it takes to stop a high-risk threat.
3. An agentic AI reasoning layer that operates over that foundation, rather than trying to compensate for its absence.
The Strategic Takeaway
Security teams are not short on data or tooling. The constraint shows up when they have to decide what matters and what to do next. That step still depends on stitching together signals across systems, often under time pressure and without a consistent way to apply context.
Addressing that requires more than improving detection. It requires a way to structure intelligence, apply it within workflows and coordinate action across teams and organizations. It also requires a layer that can support automated reasoning, where agentic systems can assist with investigation and response without operating in isolation.
Those pieces are tightly connected. Without structured intelligence, AI systems have limited value. Without coordination, intelligence remains local. And without consistent workflows, neither translates into action. Organizations that build around these dependencies can work more effectively to reduce the time between signal and response.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
